A recent Kaspersky investigation focused on the Russian-speaking group APT Tomiris, which collects information in Central Asia and uses several malware installations. The wide variety of malware installations are being developed at a rapid pace and in all possible programming languages, presumably to hinder attribution. What has attracted the attention of researchers is that Tomiris uses a malware previously linked to Turla, another well-known APT group.
Several attack campaigns
Kaspersky first described Tomiris in September 2021, following an investigation into a DNS hijack affecting a public administration in the Commonwealth of Independent States (CIS). Researchers had noted unconvincing similarities to the Solar Winds incident. They continued to track Tomiris as a separate threat actor in several new attack campaigns between 2021 and 2023. While the telemetry from Kaspersky made it possible to clarify the group’s toolset and its possible connection with Turla.
How it works
The threat actor targets CIS government entities and diplomats with the aim of stealing internal documents. Casual victims discovered in other regions (such as the Middle East or Southeast Asia) turn out to be representative organizations of the CIS countries, demonstrating how narrow Tomiris’ focus is. He strikes his victims using a wide variety of carriers of attack. These range from spear phishing emails with malicious content attached (password protected archives, malicious documents, weaponized LNKs) DNS hijacking to exploiting vulnerabilities (especially ProxyLogon), suspicious drive-by downloads and other “creative” methods.
Focus on APT Tomiris and its malware installations
What characterizes Tomiris’s most recent operations is that they most likely exploited the KopiLuwak and TunnusSched malware previously linked to Turla. Despite sharing this toolkit, Kaspersky’s latest research suggests that Turla and Tomiris are likely different players who could exchange know-how. Tomiris is no doubt Russian-speaking, but her goals and his affairs are very different from Turla’s. Furthermore, Tomiris’s general approach to intrusion and limited interest in stealth does not match Turla’s documented working methods.
Its peculiarities
However, Kaspersky researchers believe that the sharing of tools is potential evidence of some cooperation between the two groups, the extent of which is difficult to gauge. However, depending on when Tomiris started using KopiLuwak, it may be necessary review some campaigns and tools allegedly related to Turla.
Share intelligence
Pierre Delcher, Senior Security Researcher di Kaspersky’s Global Research and Analysis Team (GReAT)
Our research shows that using KopiLuwak or TunnusSched is not enough to link cyberattacks to Turla. As far as we know, this toolset is currently being used by Tomiris, which we believe is a group distinct compared to Turla, although it is likely that they collaborated.Currently examining malware samples and tactics only gets us so far and it is often reminded that threat actors are subject to organizational and political constraints. This survey illustrates the limitations of technical attribution, which we can only overcome through intelligence sharing.
How to protect yourself: advice from Kaspersky
- Provide the SOC team with access to the latest threat intelligence. Kaspersky Threat Intelligence Portal is a single entry point for company threat intelligence providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
- Update your cybersecurity team to deal with the latest targeted threats with Kaspersky online training developed by GReAT experts.
- For the detection at the endpoint level, investigation and timely resolution of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
Focus your APT Tomiris
In addition to adopting essential endpoint protection, it is important to implement an enterprise-grade security solution. A solution that detects advanced network-level threats early, such as Kaspersky Anti Targeted Attack Platform.
Many targeted attacks start with phishing or other social engineering techniques. It is therefore important to introduce security awareness training and pass on the necessary skills to your team, for example through Kaspersky Automated Security Awareness Platform